Re: [Freeipa-users] add a cert of .net insetad of .com error ?

2014-04-14 Thread Rob Crittenden 

Please keep replies on the list.

barry...@gmail.com wrote:

Is it meant that i cannot use def.abc.net  cert for
the host def.abc.com  ???


Correct.


only i can used is same as hostname and domain ...or wildcard *.abc,com ?


For now yes. Eventually we may be able to use SNI to use certificates 
with multiple names but we aren't there yet.


rob



Thanks



2014-04-11 20:47 GMT+08:00 Rob Crittenden mailto:rcrit...@redhat.com>>:

barry...@gmail.com  wrote:

Dear all:

I added *.abc.net   cet to
  certutil -d /etc/httpd/alias

and /etc/dirsrv/slapd-ABC-COM

But error comes out after when i login the UI of service and
cick in entry .

cannot connect to
'https://cert1.abc.com:443/ca/__agent/ca/displayBySerial
': [Errno
-12276]
(SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with
peer:
requested domain name does not match the server's certificate.


This is the SSL MITM protection. The subject of the certificate on
the server needs to match the hostname that the client is requesting.

You can't just change the domain name of your installation by
replacing the certificates.

rob




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] add a cert of .net insetad of .com error ?

2014-04-11 Thread Rob Crittenden 

barry...@gmail.com wrote:

Dear all:

I added *.abc.net  cet to  certutil -d /etc/httpd/alias
and /etc/dirsrv/slapd-ABC-COM

But error comes out after when i login the UI of service and cick in entry .

cannot connect to
'https://cert1.abc.com:443/ca/agent/ca/displayBySerial': [Errno -12276]
(SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer:
requested domain name does not match the server's certificate.


This is the SSL MITM protection. The subject of the certificate on the 
server needs to match the hostname that the client is requesting.


You can't just change the domain name of your installation by replacing 
the certificates.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users